If PCI Is Your Whole Security Program, You’re Not Doing Your Job Right

For most CISOs, the pain of an audit is part of the job, but it doesn’t have to be the nightmare that most of the IT community envisions. While attending the SOURCE Boston conference last week, your faithful SecurityWeek correspondent attended a rather frank discussion centered on the pain of a PCI assessment, and why the said pain is completely unwarranted. Here’s a recap of the talk.

Presented by Michelle Klinger, a Sr. Consultant with EMC, and Martin Fisher, the Director of Information Security for WellStar Health System, the talk looked at the PCI assessment process from the perspective of a former QSA and an active security manager.

The goal was to highlight some basic processes that business leaders can follow in order to get through the assessment with as little stress as possible, a task that seems harder than it actually is.

Making the best of the situation

The talk started with a simple fact. Most of what those in the IT community think they know about PCI assessments is wrong.

“Horror stories that you’ve heard about assessments are generally that – horror stories,” Fisher said, expanding on his statement.

“Like most stories there’s two sides to it. Most of the horror stories that I’ve personally experienced, eighty percent of the blame went on the CISO at the time, and with the way he tried to manipulate the situation.”

At the same time, when the experience is a positive one, this too can be placed at the feet of the executive that is leading it. No matter what, the general tone of the process is set before the assessment starts.

Before The Assessment

One of the first things that a QSA will look to accomplish is the establishment of an initial rapport with the organization’s leadership and their teams. The idea is to discover what it is that the company is looking for. Obviously, Klinger explained, they want a compliant ROC (Report on Compliance), but what if there’s more? Organizations that are clear on what it is they hope to accomplish, such as using the ROC to push various security initiatives, will be helping themselves as well as the QSA in the long run.

The other side to this helpfulness is documentation. Assessments can sometimes require lots of documentation. Having the proper documents in place can mean the difference between a useless assessment, and one that actually gets stuff done, Klinger explained.

It isn’t as if the documents a QSA needs or how the validate the PCI process are a secret, it’s well documented. Yet this area sometimes causes problems, as organizations come to the table unprepared, which in turn leads to issues further on.

With that said, prior to the QSA arriving onsite, make sure that an agenda has been discussed previously and make sure that all the people need for the meeting are available and documents are in order to prevent time being wasted, Klinger added. The documentation itself should have timestamps and dates whenever possible, especially if they are screenshots.

The documentation should be as close to real time as possible, as to show what is going on in the organization’s environment.

Even better, when the documentation is collected, present it to the QSA as a map. This will enable the organization to show the QSA that document X is looking to satisfy requirement Y. In the long run, the document map is a timesaver and will benefit both sides of the process.

“From a CISO perspective, if you don’t start this process well you’re going to be hosed,” Fisher said. “While as a CISO or a director, you might not be able to pick the QSA firm... you do have the ability to choose who the individual assessor is. This is a critical, key first step.”

CISOs should interview potential QSA candidates as if they were interviewing an employee. For example, Fisher added, use hypothetical questions and situations. “If their personality is one that will rub everybody on your team wrong, don’t use that person.”

Another thing for CISOs to consider is the truth.

“You need to be honest as a CISO. I’m not saying it’s like walking into a confession booth, ‘forgive me assessor for I have sinned,’ and just lay everything out. I’m not advocating that at all. But don’t lie. Because once you’ve lost your credibility with the QSA, their only recourse is to do a fishing expedition. It’s ugly and it’s painful, and you don’t want to be there,” Fisher explained.

“You also need to make sure that your team understands that lying to the QSA, is going to give them the opportunity to add value to other organizations – other than your own – very quickly. Don’t tolerate it from your staff.”

During the Assessment

One of the things a QSA will look for is inconsistencies. This isn’t that they are searching for lies, but they are looking for communication breakdowns between policy makers and those with “boots on the ground.”

This is why making sure that the documentation is prepared, and the correct people with the relevant information are available from the start. It’s also why honesty is important. Communication breakdowns happen, and often no one is aware of them, so this provides an opportunity to correct them and better strengthen the organization.

“I can’t tell you how many times I’ve been stood up for meetings,” Klinger said. “The QSA, you have to understand, as well as the people being interviewed, want this to be done.”

Planning meetings with a QSA and then canceling them at the last moment or not showing up entirely wastes time, and time can translate into money. Cancelations are expected, but if a meeting has to be canceled, then there should be as much notice as possible and an alternative date and time proposed in order to reschedule.

It’s basic politeness in many cases, but it can go a long way towards keeping the assessment process smooth. The last thing an organization or its staff needs is a QSA hunting people down. Most times these meetings can be painful, which in some cases are why they’re avoided. But, Fisher added, the CISO should make it clear that the meetings are important and the pain from the meeting is nothing compared to the pain that could come from blowing them off or neglecting them.

Another thing for organizations to remember, particularly the CISO, is the importance of managerial support. CISOs need to be supportive of their teams during the process and encourage them to work with the QSA, not against them. Again, being honest and open will play a large role in this.

However, on the other side of support is influence. CISOs that try to strong arm the QSA, or improperly influence the process, will cause more harm than good. In short, this is a career-ending move in some business segments.

Never let the QSA to be in charge. They need scope and boundaries, and the CISO needs to enforce this. If the QSA doubts the CISO or his staff’s honestly, “you’re done,” Fisher explained.

“Their not going to believe anything you say. The assessment will take longer, and instead of giving you the benefit of the doubt on something that’s on the cusp – you’re toast.”

The bottom line is that given the fact that one cannot improperly influence the QSA or even appear as if they’re doing so, should there be a problem with the QSA, the CISO needs to address this with the QSA’s boss. However, if the QSA was interviewed previously, this shouldn’t be an issue.

After the Onsite Assessment

Before the QSA leaves, get a meeting with them to offer an overview of the major items that they’ve identified. This helps management get an idea on the level of effort needed for remediation. It also helps with identifying potential discrepancies.

In addition, the organization needs to make sure that outstanding items are delivered in a timely fashion. Outstanding items happen. This is part of the process, but it’s something that must be addressed sooner rather than later. Also, make sure that the QSA sends a list of findings is delivered.

CISOs should just expect this, but make sure that it’s clear to the QSA that this is to be delivered ASAP. The QSA is relying on the organization to review the findings and discuss them. As remediation begins, keep the QSA in the loop and communicate with them periodically as changes are made.

“The biggest mistake that too many CISOs make is they don’t realize the ROC is negotiable,” Fisher said.

“Now I’m not saying that you can bend reality. I’m not saying that at all. But for example, in certain industries, certain words [have different meanings]... If in your conversation with the assessor, if they keep using a word that to them is a middle sized problem, but in your world it means the four horsemen are saddling up, explain to them the cultural context of that word...”

Doing so, will the ROC to represent language that the organization’s board of directors and senior leadership understands. It also enables the CISO to ensure that the ROC is accurate.

From there, the CISO needs to use the ROC and determine where the organization “needs to go from here,” Fisher adds. However, while it is vital that the CISO form a plan, they cannot use the list of remediation items as their plan.

“If you do that, you suck,” he said. “PCI is not your whole program. If PCI is your whole program, you’re not doing your job right.”

In the end, assessments can be heaven or hell. “You either get a Scotch that’s warm and peaty or you get a warm bottle of Zima,” Fisher humorously concluded.

The quality of beverage (and the assessment) and the level of pain, is completely in the hands of the organization. With a little effort and some focus, it’s entirely possible for CISOs and their teams to not only survive a PCI assessment, but also survive it with their sanity intact.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.